I've had to add an organization policy that restricts access to the cloud for anyone. Only are allowed: the IP adresses that I've explicitely granted.
Example: Try to log in from an unauthorized external IP, you'll get a "Access blocked" screen when trying to access the organization via console.cloud.google.com
.
The problem is now I cannot seem to make the simplest gcloud
calls within the console.
For example: gcloud projects list
returns:
ERROR: (gcloud.projects.list) UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
- '@type': type.googleapis.com/google.rpc.ErrorInfo
metadata:
method: google.cloudresourcemanager.v1.Projects.ListProjects
service: cloudresourcemanager.googleapis.com
reason: ACCESS_TOKEN_TYPE_UNSUPPORTED
via When I try to authenticate to the account that is owner on the organization via gcloud auth application-default login
. I get
ERROR: Access was blocked due to an organization policy, please contact your admin to gain access.
ERROR: (gcloud.auth.application-default.login) (access_denied) Account restricted
Is this because the gcloud is called from the console, that has an external and/or internal IP that isn't listed in the organization policy?
How do i resolve this considering my organization policy? How do I determine which kind of IPs to allow (internal vs external)?
EDIT:
I have confirmed it is an IP blockage problem since I can call gcloud projects list
within a local terminal of an authorized IP adress
Sounds like you might want to configure private google access seeing as you've implemented an org policy that restricts external access.
More info here: https://cloud.google.com/vpc/docs/configure-private-google-access .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.